Samsung Smart TV Doesn't Encrypt Voice Data: Hackers' Delight?

A U.K. security firm researcher claims that Samsung is not encrypting voice data it may be collecting from its smart TVs and sharing it with third parties, an action allowed unless a smart TV owner opts out from the voice recognition feature capability.

David Lodge, who works for Pen Test Partners, conducted his own investigation and grabbed Internet traffic from a Samsung smart TV and discovered Samsung is not incorporating encrypted HTTPS or Secure Sockets Layer technology on the voice data traffic. Instead, he notes in his blog post on the revelation, Samsung is using a mix of XML and custom binary data packet.

"The sneaky swines; they're using 443/tcp to tunnel data over; most likely because a lot of standard firewall configurations allow 80 and 443 out of the network. I don't understand why they don't encapsulate it in HTTP(S) though," states Lodge, adding he sees a "potential for a rogue firmware updated enabling 'snooping' is significant."

The news comes just about a week after it was revealed Samsung not only collects words spoken by smart TV users via the voice recognition feature, it can even conduct facial recognition of TV users. Samsung was quick to respond to implications that it may be spying on users that such features must be turned on by users and that only certain data, such as voice search queries, are shared with a third party.

One news report noted Samsung also issued a statement when the issue first hit the media headlines, stating "data collection is done in a transparent manner," and that it "does use industry-standard security safeguards and practices, including data encryption."

In regard to Lodge's research efforts on the voice data security issue, the security firm told a news outlet that it was able to decode the encoded voice audio.

"So it does kinda spy on you, but then leaks the spied data on to the public internet," Ken Munro, another Pen Test Security researcher, said. "The critical point about this is that Samsung haven't encrypted the traffic."

The news also comes after revelations that Samsung smart TVs are testing a marketing initiative in which ads are inserted into locally stored video, with the ad reports popping up on Reddit forum discussions.

"I watch most of my TV shows on a Samsung smart TV and it has been fantastic for the past year," states a post started by redditor beans90. "Recently it has been stopping half way through a show or a movie and has played a Pepsi ad that is muted. It does not do this on any other platform (PC, PS4, tablet) has anyone else experienced this?"

In response Samsung stated it was a trial pop-up effort and the interactive capability is a feature that users can also opt out from, and its privacy statement indicates the TVs also can record and track a user's gesture controls.